hipaa-ps-3 High priority Physical Safeguards / Workstation Security

Implement physical safeguards for all workstations that access ePHI to restrict access to authorized users

Physical access to workstations must be restricted to authorized users. An unlocked workstation in an accessible location is an open door to ePHI. HIPAA requires physical safeguards for all workstations, including those in clinical areas, administrative offices, and remote locations. This is distinct from defining how workstations should be used: this requirement focuses on the physical controls that prevent unauthorized individuals from sitting down at a workstation and accessing the system.

6h estimated effort

hipaa workstation physical-security encryption

Implementation steps

1

Physically secure workstations in accessible areas

In areas accessible to the public or non-authorized staff (waiting rooms, registration desks, public corridors), position workstations so screens face away from public view and keyboards are not accessible to patients or visitors. Consider physical barriers, cable locks for laptops, and privacy screens where appropriate.
2

Secure mobile devices and laptops

Laptops and mobile devices that access ePHI are particularly vulnerable because they leave the facility. Enforce full-disk encryption on all mobile devices and laptops so that a stolen device does not result in an ePHI breach. Implement remote wipe capabilities. Establish policies for storing devices securely when not in use.

intune jamf microsoft-endpoint-manager
3

Restrict physical access to workstations in sensitive areas

Workstations in areas like the pharmacy, laboratory, or executive offices that access highly sensitive ePHI should be in rooms with controlled access. Ensure only authorized staff can enter those rooms. Badge access or coded door locks appropriate for the risk level of the ePHI accessible from those workstations.

hid-access-control confluence